(noob alert) First time working with PEAP. I inherited a domain wireless network that is using PEAP as its network authentication method. This network is not authenticating users that don't have a profile cached on the client. (if I hardwire a laptop and authenticate with then the peap wifi will work) I'm trying to trouble shoot why this is happening. I know there is a security policy set, but I'm not sure if its set correctly or what parameters need to be set.

I'm not understanding how PEAP works. How can you try and authenticate on a network that you already have to be known before it lets u in? It seems that the client machine has no way of reaching the DC for authentication since it’s using that wireless to reach the DC’s destination. There should be a way that authentication request should flow to the DC then back to the client to allow that full wireless connection to be established.

We are getting "Currently no logon servers available to process the logon request" error

The wireless controller will act as an intermediary to talk with an authentication server. In the wireless controller you need to configure the WPA2 Enterprise / PEAP settings to specify the IP and port of your authentication server. (I've done this where RADIUS servers are the authentication servers, but I imagine there is a way for this to work with active directory, etc). The process goes like this:

1) Turn on a laptop configured to connect to WPA Enterprise / PEAP on the given SSID,

2) The laptop should attempt to associate with the AP

3) Once associated, AP will send a PEAP authentication request to the laptop, which responds with its userID

4) The AP will send the userID to the RADIUS server

5) A TLS tunnel gets established between the RADIUS server and the laptop wireless supplicant software (part of windows)

8) At this point the laptop should have network access, and you can log into the domain using domain credentials

The piece I'm unclear about is how to configure your Active Directory to look like a RADIUS server for the wireless controller settings, etc, but this is obviously something that many people have run into before since PEAP is a popular setup with windows.

Since your computers are not part of the school domain, you are pretty much SOL.

Unless you can establish ntwork connectiviy prior to login wich requires either hardwired ethernet, a static WPA2 key or being joined to the schools domain to facilitate computer based authentication, the 'kludge' you are dealing with will likley have to continue.

So you have three options:

Continue as is

Join your computers to the school domain

Use an alternate means of connecting to the internet to establish your VPN. (think an aircard)

Typically when an entity makes a security change like this (moving to a digital certificate based WPA/WPA2 Wireless system) it is expressly intended to eliminate insecure/unauthorized connections such at this from being allowed. Many entities policies (mine included) expressly forbid any account sharing and/or usage of our internal wireless network by any non-entity system and/or user and abuse is a terminatable offence both for the employee who's account was shared and for the person that connected, including contractors, for breach of security policies.

Perhaps working with the school's IT group would be the best approach to come up with a better solution. For instance, they may be able to enable a secondary/guest SSID network for you to connect to that would rely on a key.

First check the config on the APs, if they use 802.1x, find the NPS and check the network and connection policies.
Check the event log to see how the client is authenticated (user or computer account etc)

The wireless controller will act as an intermediary to talk with an authentication server. In the wireless controller you need to configure the WPA2 Enterprise / PEAP settings to specify the IP and port of your authentication server. (I've done this where RADIUS servers are the authentication servers, but I imagine there is a way for this to work with active directory, etc). The process goes like this:

1) Turn on a laptop configured to connect to WPA Enterprise / PEAP on the given SSID,

2) The laptop should attempt to associate with the AP

3) Once associated, AP will send a PEAP authentication request to the laptop, which responds with its userID

4) The AP will send the userID to the RADIUS server

5) A TLS tunnel gets established between the RADIUS server and the laptop wireless supplicant software (part of windows)

8) At this point the laptop should have network access, and you can log into the domain using domain credentials

The piece I'm unclear about is how to configure your Active Directory to look like a RADIUS server for the wireless controller settings, etc, but this is obviously something that many people have run into before since PEAP is a popular setup with windows.